amazon-s3amazon-ecsaws-roles

ECS fargate, permissions to download file from S3


I am trying to deploy a ECR image to ECS Fargate. In the Dockerfile I run an AWS cli command to download a file from S3.

However, I require the relevant permissions to access the S3 from ECS. There is a task role (under ECS task definition) screenshot below, that I presume I can grant ECS the rights to access S3. However, the dropdown only provided me with the default ecsTaskExecutionRole, and not a custom role I created myself.

enter image description here

Is this a bug? Or am I required to add the role elsewhere?

[NOTE] I do not want to include the AWS keys as an env variable to Docker due to security reasons.

[UPDATES]

Added a new ECS role with permissions boundary with S3. Task role still did not show up.

enter image description here

enter image description here


Solution

  • Did you grant ECS the right to assume your custom role? As per documentation:

    https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html#create_task_iam_policy_and_role

    The a trust relationship needs to established, so that ECS service can assume the role on your behalf.